EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
Four steps to move from principles to process in your data ethics program
Step 1: Review existing policies and operating models
The first step is to take stock and evaluate how well existing data ethics principles, policies and processes are operating. Organizations should ask:
- To what extent can we trace existing ethical foundations back to current and emerging regulatory guidelines?
- How well do our existing controls operate when compared to the prevailing industry best practices and our competitors?
- What are the gaps in our existing ethics policies and related processes?
Answering these questions will usually enable organizations to identify key areas for policy and process improvements. It can also help you to trace data ethics controls back to a set of defined principles and regulatory guidance. From there, organizations should be able to define a target state that promotes lawfulness, accountability and trust.
Step 2: Engage internal and external stakeholder groups to refine key principles and policies
Using a mix of interviews, customer reviews and surveys, the goal for the second step is to surface the ethical tensions between stakeholders and, in turn, identify areas where their ethical sentiments converge. This should help to determine the organization’s data ethics risk appetite.
It is often not clear how the trade-off between unlocking value from data assets should be balanced against the interests of other stakeholders outside of the organization. Therefore, engaging with internal stakeholders, regulatory bodies and customers is usually essential as you develop, implement and run the framework. You should:
- Identify which internal stakeholders should be engaged to deliver a diverse and representative balance of voices and opinions that are relevant to organizational goals.
- Take care that the Data Ethics Board, if the organization has one, contains representatives from the executive board, non-executive directors, technology, legal and compliance.
- Supplement the Data Ethics Board with representatives from outside the organization, such as customer representatives, academics and external consultants who can embed a balance of views and challenge decisions more freely.
As organizations develop a risk appetite, you should provide platforms where the voice of the customer is clearly considered by engaging with customers through online surveys, in-person interviews and customer labs.
Step 3: Design and implement a trade-off framework
Once you have positively defined the standards that match the organization’s ethical appetite, designing and implementing an ethics trade-off framework is the leap that will usually take organizations from a principles-based approach to one that embeds data ethics into existing processes, operations and decision-making. It can also enable organizations to transition from paper policies to a technology-led architecture.
An ethics trade-off framework is a system that helps data users evaluate the trade-offs between opposing ethical positions. For example, a trade-off framework could include technology-enabled processes, rules and logic that aid first-line data users to:
- Identify the ethical impacts of a proposed data use-case.
- Evaluate the ethical risks flowing from the trade-offs that result from those impacts.
- Evaluate whether these risks fall within the organization’s ethical appetite.
The outputs of the framework can then usually be used to anchor decision-making.
Step 4: Utilize technology to embed data ethics controls in first-line decision-making
Now that the organization has the building blocks of a data ethics architecture in place, the final step is to apply the newly enhanced policies, ethical appetite and trade-off framework to existing day-to-day processes and controls and test them so that they function as intended.
New technologies can help digitize the privacy risk control environment to unlock value from your data assets. You should explore how new technologies embed data ethics controls and test whether the solution can help deliver clear data ethics assessments to first-line data users, support rapid decision-making and guide sustainable business growth.
Lastly, to maintain the organization’s ethical appetite, regularly refresh opinions from stakeholders to update stakeholder sentiment in the trade-off framework. Monitor developing regulatory guidance and update policies as needed. Review the use-cases being tested by front-line staff to validate that the trade-off framework is delivering the expected results, and request feedback from technology users to streamline the approach.
EY member firms do not practice law where not permitted by local law or regulation.
Summary
Operationalizing data ethics within your organization can be challenging, but the benefits are many. Defining and embedding data ethics, including trade-off guidelines, into technology-supported processes can help you demonstrate to regulators, guidance bodies and consumers that your organization is acting within the letter and spirit of data protection rules. Doing so can help you garner greater trust from consumers and may help you stay ahead of regulatory developments by identifying early changes in regulatory attitudes. A clear framework also provides your employees with guardrails within which they can explore innovative and ethically acceptable ways to unlock value from data.